Re: Problems Authorizing Windows Updates

"Flash Gordon" <spam@xxxxxxxxxxxxxxxxxx> wrote in message
news:nbdlb5xa1n.ln2@xxxxxxxxxxxxxxxxxxxxxxxxxx
Will wrote, On 23/03/08 17:53:
"Burkhard Ott" <b.ott@xxxxxxxxx> wrote in message
news:fs5rtp$qve$01$1@xxxxxxxxxxxxxxxxxxxx
Am Sun, 23 Mar 2008 00:33:12 -0700 schrieb Will:

I'm having some problems with firewall authorizations for Windows
Update
access in a DMZ. In general, I have had good luck getting access to
Windows Update when you authorize passage of HTTP, HTTPS, and FTP to
these
networks:

131.107.0.0 / 16
207.46.0.0 / 16
64.4.0.0 / 18
65.52.0.0 / 14

In addition, I normally authorize these URLs for both http: and https:

*.microsoft.com
windowsupdate.microsoft.com
*.windowsupdate.microsoft.com
download.windowsupdate.com

The problem I am having is that occasionally the DNS name
"download.windowsupdate.com" resolves to some IPs on a huge network
from
the
Why don't you use a proxy?

We use NAT on the firewall for all outgoing connections, and a proxy
isn't
going to improve much on that. The thing we are trying to prevent is
the
ability to reach unauthorized IPs by any means. If Windows Update has
download.windowsupdate.com resolving to half the Internet, you end up
having
to open up through the firewall outgoing connections to a lot of hosts
that
could be used to control a compromised host or to further the compromise.

Set up rules so that only the proxy can access anything on ports 80 and
443 then the proxy can be set to only allow access to specific URLs. Then
the only way they can access anything the proxy does not allow is by
poisoning your DNS or accessing through some other port you have left open
on the firewall.

The most secure solution would be if Microsoft published a list of networks
and IPs it wants to use for download.windowsupdate.com. I guess that won't
happen.

I guess you are right the only other solution is to rely on URLs correctly
passing the target hostname in the URL, and firewall rules focus on the
URLs. As you mention you are vulnerable to a DNS redirection by poisoning
the cache. I'll work out something a little more secure than relying on
just the URL but in general I know where I need to go and thanks.

--
Will


.

Relevant Pages

  • Re: [fw-wiz] Firewalls that generate new packets..
    ... are the best form of deep packet inspectors. ... what is more traditionally thought of as a firewall. ... security proxy written for HTTP as it stands today. ...
    (Firewall-Wizards)
  • Re: firewall or cache mode
    ... option enabled and the HTTP + HTTPS + FTP protocols allowed for outbound on ... the Internal Network to External network and you have a "proxy only" box. ... > firewall, ... > I only need ISA2004 in internet caching mode. ...
    (microsoft.public.isa)
  • Re: Problems Authorizing Windows Updates
    ... Windows Update when you authorize passage of HTTP, HTTPS, and FTP to ... I normally authorize these URLs for both http: and https: ... Set up rules so that only the proxy can access anything on ports 80 and 443 then the proxy can be set to only allow access to specific URLs. ...
    (comp.security.firewalls)
  • Re: FreeBSD router
    ... The defaultroute will be the ip-adress of the firewall, ... But all the howto's handle firewalls and HTTP. ... Which systems are supposed to use the proxy? ...
    (freebsd-net)
  • Re: Wrt54G is a FW appliance?
    ... >>When it can tell the difference between HTTP and anything else on port ... You're confusing a proxy with a firewall. ...
    (comp.security.firewalls)